Main menu

Post navigation

I’ve decided to update the VPN router on my home network using a Raspberry Pi 2, I’m quite impressed at how well it works. I was previously using a HomePlug AV adapter but found this to be a bit of a network bottleneck. So now my Raspberry Pi 2 is connected directly to my router using an ethernet cable.

Previously, I installed a DNS server (Unbound) as a caching recursive DNS server, this service resided on the same machine that I ran my VPN router on. Now however, after a bit of research I’ve decided to let my VPN’s DNS servers answer all the requests from my VPN connected devices.

I now run a separate DHCP/DNS server on my home network (DNSMasq) with a DNSCrypt wrapper that encrypts all the DNS requests that don’t go through my VPN Router.

What you need

You will need some knowledge of networking and/or some IT knowledge.
A Raspberry Pi 2 or 3 running the current Raspian Jessie Lite – 2016-03-18.

Configure a static IP address

The new version of of the dhcpcd daemon included in the Jessie image doesn’t seem to read /etc/network/interfaces as it used to So if you configure a static IP in the usual way, you’ll end up with 2 IP addresses.

The workaround is to configure a static IP address as you would normally, then disable dhcpcd daemon. Then if you decide later to provision your Pi for something else, it’s easily reversible.

1

sudo systemctl disable dhcpcd.service

The above shows that the router’s IP address (Gateway) is 192.168.1.254, yours may be different, so remember to change it to suite your circumstances. You may well have to changing the network address if your network address differs from mine, which is 192.168.1.0/24.

1

sudo nano/etc/network/interface

1

2

3

4

5

6

auto eth0

iface eth0 inet static

address192.168.1.1

netmask255.255.255.0

gateway192.168.1.254

dns-nameservers8.8.8.88.8.4.4

Setting up your VPN server

Next, you need to install openvpn on your raspberry pi and test it, I’ve provided an extensive list of VPN providers in the references section (right at the bottom) feel free to choose one after installing openvpn (make sure the VPN provider you choose, support openvpn).

First off, you need to install openvpn. You can do this by typing the following at the prompt.

1

sudo apt-get install openvpn

After you’ve installed openvpn, you’ll need to choose a VPN provider. Ensure that the one you choose, supports Linux and Openvpn. If it’s a good provider, they will provide you with the option of downloading an OpenVPN configuration file, which should have the extension (.ovpn). After you’ve downloading the file to your Raspberry Pi, change the extension to a (.conf) extension and copy it to the “/etc/openvpn/” directory of your Raspberry Pi.

1

sudo cp your_vpn_provider.ovpn/etc/openvpn/your_vpn_provider.conf

Test that the VPN actually works.

1

sudo openvpn--config/etc/openvpn/your_vpn_provide.conf

If it’s working as expected, then press ctrl-c to exit.

Enable VPN after reboot

1

sudo systemctl enable openvpn@your_vpn_provider

You should get a message similar to this (see below), the “your_vpn_provider@” will of course be what you’ve called your file.

1

2

3

Created symlink from/etc/systemd/system/multi-

user.target.wants/openvpn@your_vpn_provider.service to

/lib/systemd/system/openvpn@.service.

Fire-walling the interface and enabling forwarding

Below is the shell script that I wrote (with the help of online resources). What it does is firewall the tunnel interface and the internal eth0 interface. In the event of the openvpn daemon shutting down, or the connection to your VPN provider going down, all traffic stops being forwarded.

The only part that will need changed, is the “Home_Network” variable which is currently set to my home network (192.168.1.0/24) and the VPN_DNS variable, which are the DNS servers supplied by your VPN provider. Download the script (or cut and paste) to your pi.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

#!/bin/bash

# Filename - firewall.sh

# Written by William Dickson

#

# http://security.blogoverflow.com/2011/08/base-rulesets-in-iptables/

#

# My Private Class C Network, your network may be different.

Home_Network=192.168.1.0/24

# My VPN providers DNS servers.

VPN_DNS="10.4.0.1 10.5.0.1"

# Flush previous rules, delete chains and reset counters

iptables-F

iptables-X

iptables-tnat-F

iptables-tnat-X

iptables-tmangle-F

iptables-tmangle-X

iptables-PINPUT ACCEPT

iptables-PFORWARD ACCEPT

iptables-POUTPUT ACCEPT

# Set default policies

iptables-PINPUT DROP

iptables-PFORWARD DROP

iptables-POUTPUT ACCEPT

# Create two user-defined chains that we will use to

# open ports in the firewall.

iptables-NTCP

iptables-NUDP

# SSH Open Port.

iptables-ATCP-s$Home_Network-ptcp--dport22-jACCEPT

# Open ports if you're running a DNS cache server on the same device.

# iptables -A UDP -s $Home_Network -p udp --dport 53 -j ACCEPT

# iptables -A TCP -s $Home_Network -p tcp --dport 53 -j ACCEPT

# ntopng web interface

iptables-ATCP-s$Home_Network-ptcp--dport3000-jACCEPT

# Zeroconfig mdns port

iptables-AUDP-pudp-mudp--dport5353-jACCEPT

# NTP Open Port.

iptables-AUDP-pudp--dport123-jACCEPT

# Create two user-defined chains for the forward rules.

iptables-Nfw-interfaces

iptables-Nfw-open

# Create user-defined rules for the fw-interface chain.

iptables-Afw-interfaces-ieth0-otun+-s$Home_Network-jACCEPT

# Allow anything on the local link.

iptables-AINPUT-ilo-jACCEPT

# Input chain and user defined chains (UDP and TCP) for open ports.

iptables-AINPUT-mstate--state ESTABLISHED,RELATED-jACCEPT

iptables-AINPUT-mstate--state INVALID-jDROP

iptables-AINPUT-picmp--icmp-type8-mstate--state NEW-jACCEPT

iptables-AINPUT-pudp-mstate--state NEW-jUDP

iptables-AINPUT-ptcp--syn-mstate--state NEW-jTCP

iptables-AINPUT-pudp-jREJECT--reject-with icmp-port-unreachable

iptables-AINPUT-ptcp-jREJECT--reject-with tcp-rst

iptables-AINPUT-jREJECT--reject-with icmp-proto-unreachable

# Forwarding rules and user defined chain.

iptables-AFORWARD-mstate--state ESTABLISHED,RELATED-jACCEPT

iptables-AFORWARD-jfw-interfaces

iptables-AFORWARD-jfw-open

iptables-AFORWARD-jREJECT--reject-with icmp-host-unreach

# Change the address of an incoming packet from the gateway to a LAN machine.

To change permission on the firewall.sh script (make it executable), type the following.

1

sudo chmod744firewall.sh

Run the script and apply the firewall.

1

sudo./firewall.sh

I want to make the firewall rules persistent, so I’m going to install a package called iptables-persistent.

1

sudo apt-get install iptables-persistent

Make the rules apply at startup

1

sudo systemctl enable netfilter-persistent

If at any time you re-run the firewall.sh script after updating or changing it, then you will have to re-run the iptables-persistent program, to apply the updated rules after reboot. The command for that is.

To fix this, I had to install a couple of libraries, instructions to fix the issue below.

1

2

sudo apt-get install libpcap0.8

sudo apt-get install libmysqlclient18

Restart ntopng

1

sudo systemctl restart ntopng.service

Change the default ntopng login

Fire up your favorite browser and point it at the IP address of your new VPN router. For me that would be http://192.168.1.1:3000

Your may have used a different IP address, all you need to do is append the port number to the IP address.

After installing ntopng, I would suggest that you change the admin password after you login, the default login are as follows.

Default login – admin
Default password – admin

Screenshots of ntopng.

All hosts currently using my VPN router on my home network.

Showing one host on my network, and as you can see, you can look at the traffic type, ports, peers and protocols. It’s a great addition if you’re sharing your VPN with others in your family or friends. It allows you to see if someone is hogging your bandwidth or doing something a bit suspect.

It’s a really great program and if you find it useful then I would definitely buy a licence, because the paid version has a lot more functionality. If you want to see what the paid version looks like, restart your VPN router and connect to ntop, it runs the pro version for 10 minutes before defaulting to the community version.If you like it they you can purchase a licence for the pro version from here. Alternatively, if you have a little cash you can also make a donation to the project.

First thing you’ll need to do is register at the Hurricane Electric Website and create your own tunnel. I’m not going to go over that since there’s a lot of help on the Hurricane Electric Website about it. These instructions only apply to you, after you’ve registered as a user, and set up your tunnel on their website.

Raspberry Pi and Pen

Raspberry Pi and Power Supply

Raspberry Pi in my hand

Thinkbroadband Speed Test

Windows 7 IPv6 Settomgs

Take a note of your Tunnel details from the Hurricane Electric website, you’ll need them to set up your Linux IPv6 Gateway. The IPv6 addresses are used for documentation purposes only, see RFC 3849 (no point showing everyone on the Internet my home IPv6 address range).

HE Server IPv4 Endpoint

216.66.80.26

Static IPv6 assignment from my routable range

2001:DB8:8:7aa::1

Client IPv6 Endpoint

2001:DB8:7:7aa::2

Ok first thing to do is enable IPv6 support on your raspberry pi, at the prompt type.

1

sudo modprobe ipv6

To make the change permanent, you will have to edit the modules file and have your pi load it at start-up (reboot). To do this edit the modules file, type the following.

1

sudo nano/etc/modules

Your modules file should look similar to this after to append the “ipv6” line at the end.

1

2

3

4

5

6

7

8

#/etc/modules: kernel modules to load at boot time.

#

# This file contains the names of kernel modules that should be loaded

# at boot time, one per line. Lines beginning with &quot;#&quot; are ignored.

# Parameters can be specified after the module name.

snd-bcm2835

ipv6

You need to edit /etc/network/interfaces and add your own data to the bottom of the file. Two bits of data, the first bit goes after your own network adaptor (usually eth0). and the second part after that.

1

sudo nano/etc/network/interfaces

Adding static IPv6 address from my routable range.

Adding the Hurricane Electric Tunnel interface (called he-ipv6)

Please note that the IP’s are on different networks.

1

2

3

4

5

6

# Adding an IPv6 address to the eth0 interface.

# Interface up

up ip-6addr add2001:DB8:8:7aa::1/64dev eth0

# Interface down

down ip-6addr del2001:DB8:8:7aa::1/64dev eth0

The IPv6 and IPv4 setting below will of course be yours and not the ones I’ve made up for the purpose of showing how it’s done 🙂

1

2

3

4

5

6

7

8

9

10

11

12

13

14

# IPv6 via Hurricane Electric Tunnel

auto he-ipv6

iface he-ipv6 inet6 v4tunnel

address2001:DB8:7:7aa::1

netmask64

endpoint216.66.80.26

gateway2001:DB8:7:7aa::2

ttl255

# The MTU set on my router &quot;negotiated via my ISP&quot; is

# 1492. So 1492 - 20 = 1472.

# If your routers MTU is 1500, then you can just leave

# the following line out as it will default to 1480.

mtu1472

Now we’ll deal with DNS, you have two options, you can either use your ISP’s DNS server and hope that it’s set up to deal with IPv6 resolution, or you can use free public recursive DNS servers. I’m going to use Google’s public recursive DNS servers which I know work.

To set this up, you’ll need to edit the /etc/resolv.conf file and add the DNS servers in. Type the following at the prompt.

1

sudo nano/etc/resolv.conf

Add the following and save.

1

2

nameserver8.8.8.8

nameserver8.8.4.4

Testing the Tunnel

Before we go any further, were going to bring the tunnel up and test it.

At the prompt, type the following.

1

sudo ifup he-ipv6

To test, type the following.

1

ping6-c5ipv6.google.com

You should get similar results to me.

1

2

3

4

5

6

7

8

9

10

11

ping6-c5ipv6.google.com

PING ipv6.google.com(we-in-x68.1e100.net)56data bytes

64bytes from we-in-x68.1e100.net:icmp_seq=1ttl=57time=31.2ms

64bytes from we-in-x68.1e100.net:icmp_seq=2ttl=57time=30.7ms

64bytes from we-in-x68.1e100.net:icmp_seq=3ttl=57time=30.9ms

64bytes from we-in-x68.1e100.net:icmp_seq=4ttl=57time=31.3ms

64bytes from we-in-x68.1e100.net:icmp_seq=5ttl=57time=31.3ms

---ipv6.google.com ping statistics---

5packets transmitted,5received,0%packet loss,time4007ms

rtt min/avg/max/mdev=30.780/31.119/31.358/0.297ms

If your results are similar to above then your raspberrypi is connected to the IPv6 Internet (Hurrah!) :-). If not then check your IPv6 settings and ask for help on the HE forum here.

Now we need to bring the interface down, we’ll bring it back up again after we’ve firewalled it.

Like this:

I’ve decided to graph my small home network, so I thought I would see if I could find the OID’s for my Billion 7800n Router, first I tried the Billion website, I was surprised not to find them there. I managed to find some information on other websites (not a huge lot), but it seems that Billion have changed the format of the information between firmware revision.

Billion 7800n SNMP Page

Assuming you’ve set up your router and installed snmp tools on your Linux workstation, this command will give you a list of all the OID’s.

If you can’t be bothered to install SNMP tools then feel free to grab the zip file of the results from the following Software Version 1.06e

[code lang=”bash”]snmpwalk -v1 -c public 192.168.1.254[/code]

As it happens, I’ll only be graphing a few of the salient attributes of the router, using either Cacti or Nagios in a home environment.